CISA Issues Emergency Directive for Cisco SD-WAN Vulnerabilities
Summary
Hide ▲
Show ▼
CISA has issued Emergency Directive (ED) 26-03 to mitigate vulnerabilities in Cisco SD-WAN systems, which pose an unacceptable risk to federal networks. The directive requires immediate action from Federal Civilian Executive Branch (FCEB) agencies to inventory, collect artifacts, patch, hunt for evidence of compromise, and implement hardening measures. The directive follows collaborative efforts with international partners and emphasizes the critical need for immediate response due to the ease of exploitation of these vulnerabilities. Attackers are actively exploiting vulnerabilities in Cisco Catalyst SD-WAN infrastructure, with a critical authentication bypass vulnerability (CVE-2026-20127) allowing unauthenticated attackers to obtain administrative access.
Timeline
-
25.02.2026 14:00 2 articles · 16d ago
CISA Issues Emergency Directive for Cisco SD-WAN Vulnerabilities
CISA issued Emergency Directive (ED) 26-03 on February 25, 2026, requiring immediate action from Federal Civilian Executive Branch (FCEB) agencies to mitigate vulnerabilities in Cisco SD-WAN systems. The directive includes steps for inventorying systems, collecting artifacts, patching vulnerabilities, hunting for evidence of compromise, and implementing hardening measures. The directive follows collaborative efforts with international partners and emphasizes the critical need for immediate response due to the ease of exploitation of these vulnerabilities. Attackers are actively exploiting vulnerabilities in Cisco Catalyst SD-WAN infrastructure, with a critical authentication bypass vulnerability (CVE-2026-20127) allowing unauthenticated attackers to obtain administrative access. Federal agencies must report remediation and logging actions to CISA by multiple deadlines through March 23, 2026.
Show sources
- Immediate Action Required: CISA Issues Emergency Directive to Secure Cisco SD-WAN Systems — www.cisa.gov — 25.02.2026 14:00
- CISA Issues Emergency Directive Over Exploited Cisco SD-WAN Flaws — www.infosecurity-magazine.com — 12.03.2026 14:45
Information Snippets
-
CISA issued Emergency Directive (ED) 26-03 to address vulnerabilities in Cisco SD-WAN systems.
First reported: 25.02.2026 14:002 sources, 2 articlesShow sources
- Immediate Action Required: CISA Issues Emergency Directive to Secure Cisco SD-WAN Systems — www.cisa.gov — 25.02.2026 14:00
- CISA Issues Emergency Directive Over Exploited Cisco SD-WAN Flaws — www.infosecurity-magazine.com — 12.03.2026 14:45
-
The directive requires agencies to inventory, collect artifacts, patch, hunt for evidence of compromise, and implement hardening measures.
First reported: 25.02.2026 14:002 sources, 2 articlesShow sources
- Immediate Action Required: CISA Issues Emergency Directive to Secure Cisco SD-WAN Systems — www.cisa.gov — 25.02.2026 14:00
- CISA Issues Emergency Directive Over Exploited Cisco SD-WAN Flaws — www.infosecurity-magazine.com — 12.03.2026 14:45
-
Vulnerabilities CVE-2026-20127 and CVE-2022-20775 are specifically mentioned for patching.
First reported: 25.02.2026 14:002 sources, 2 articlesShow sources
- Immediate Action Required: CISA Issues Emergency Directive to Secure Cisco SD-WAN Systems — www.cisa.gov — 25.02.2026 14:00
- CISA Issues Emergency Directive Over Exploited Cisco SD-WAN Flaws — www.infosecurity-magazine.com — 12.03.2026 14:45
-
CISA collaborated with international partners including NSA, ASD's ACSC, Cyber Centre, NCSC-NZ, and NCSC-UK.
First reported: 25.02.2026 14:001 source, 1 articleShow sources
- Immediate Action Required: CISA Issues Emergency Directive to Secure Cisco SD-WAN Systems — www.cisa.gov — 25.02.2026 14:00
-
Attackers are actively exploiting vulnerabilities in Cisco Catalyst SD-WAN infrastructure used across US federal networks.
First reported: 12.03.2026 14:451 source, 1 articleShow sources
- CISA Issues Emergency Directive Over Exploited Cisco SD-WAN Flaws — www.infosecurity-magazine.com — 12.03.2026 14:45
-
The flaw tracked as CVE-2026-20127 is a critical authentication bypass vulnerability with a CVSS severity score of 10.
First reported: 12.03.2026 14:451 source, 1 articleShow sources
- CISA Issues Emergency Directive Over Exploited Cisco SD-WAN Flaws — www.infosecurity-magazine.com — 12.03.2026 14:45
-
The vulnerability could allow an unauthenticated attacker to obtain administrative access to SD-WAN infrastructure.
First reported: 12.03.2026 14:451 source, 1 articleShow sources
- CISA Issues Emergency Directive Over Exploited Cisco SD-WAN Flaws — www.infosecurity-magazine.com — 12.03.2026 14:45
-
Federal agencies must report remediation and logging actions to CISA by multiple deadlines through March 23, 2026.
First reported: 12.03.2026 14:451 source, 1 articleShow sources
- CISA Issues Emergency Directive Over Exploited Cisco SD-WAN Flaws — www.infosecurity-magazine.com — 12.03.2026 14:45
-
CISA's directive emphasizes artifact collection and centralized logging to determine the scope of the threat.
First reported: 12.03.2026 14:451 source, 1 articleShow sources
- CISA Issues Emergency Directive Over Exploited Cisco SD-WAN Flaws — www.infosecurity-magazine.com — 12.03.2026 14:45
Similar Happenings
Cisco SD-WAN Zero-Day Exploited by Highly Sophisticated Threat Actor
A critical zero-day vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN Controller and Manager is being actively exploited by a sophisticated threat actor, tracked as UAT-8616. The flaw allows unauthenticated remote attackers to bypass authentication and gain administrative privileges. The exploitation dates back to 2023, and Cisco has credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD-ACSC) for reporting the vulnerability. The vulnerability has a CVSS score of 10.0, indicating maximum severity. Cisco is actively tracking the exploitation and post-compromise activities associated with this flaw. The threat actor is described as highly sophisticated, and the exploitation has been ongoing for some time.
Critical Authentication Bypass in Cisco Catalyst SD-WAN Exploited Since 2023
A critical authentication bypass vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN has been actively exploited in zero-day attacks since at least 2023. The flaw allows remote attackers to compromise controllers and add malicious rogue peers to targeted networks. The vulnerability stems from a peering authentication mechanism that does not work properly, enabling attackers to log in as high-privileged users and manipulate network configurations. Cisco has released specific software updates to address the issue, and CISA has issued an emergency directive requiring federal agencies to patch affected systems by February 27, 2026. Attackers have been found to leverage the built-in update mechanism to stage a software version downgrade and escalate to the root user by exploiting CVE-2022-20775, and have taken steps to clear evidence of the intrusion by purging logs and command history. Additionally, Cisco has flagged two more Catalyst SD-WAN Manager security flaws (CVE-2026-20128 and CVE-2026-20122) as actively exploited in the wild, urging administrators to upgrade vulnerable devices. CVE-2026-20128 is an information disclosure issue affecting the Data Collection Agent (DCA) feature, allowing an authenticated, local attacker to gain DCA user privileges. CVE-2026-20122 is an arbitrary file overwrite bug affecting the API, allowing a remote, authenticated attacker to overwrite arbitrary files and gain elevated privileges. Cisco Talos has linked the attacks exploiting CVE-2026-20127 to UAT-8616, a highly sophisticated threat actor active since at least 2023. Cisco has also released updates to address two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software: CVE-2026-20079 and CVE-2026-20131.